Two-factor authentication (2FA) is the most common case of the multi-factor authentication (MFA) model. As the name says, 2FA requires two distinct factors. Usually, the ﬁrst factor is “something the user knows,” a password, while the second factor is either “something that the user pos-sesses,” like a smartphone or a smartcard, or “something that the owner is,” like ﬁngerprints or other biometric features. The key is that an adversary must compromise both the factors to obtain access to the guarded system.
Nymi’s three-factor authentication (3FA) is the ﬁrst known, consumer-level implementation of an authentication mechanism that employs more than two factors, while keeping the usability at a reasonable level. Nymi’s 3FA technology revolves around electrocardiogram (ECG) features. In prac-tice, the wristband is equipped with two ECG-measuring electrodes, thus acting both as a second factor (i.e., ECG features) and as a third factor (i.e., the actual wristband). These components are orchestrated by a smartphone app that handles authentication requests and fulﬁls the communication tasks between third-party apps and services, and the wristband.
In this work, I propose the ﬁrst security analysis of Nymi’s 3FA imple-mentation, based on an early release of their development kit, with the goal of assessing the presence of vulnerabilities and the resilience to attacks.
The results of my analysis consist of 4 vulnerabilities. Moreover, I show that an adversary can leverage these vulnerabilities to bypass the 3FA en-tirely. Alarmed by my ﬁndings, I propose design recommendations and modiﬁcations to secure Nymi’s 3FA implementation.
The conclusion of my assessment is that Nymi’s 3FA is not ready for production, given the design and implementation ﬂaws that I found. More in general, I conclude that building a secure and usable 3FA system is not as trivial as combining multiple factors, and thus requires further research and engineering eﬀorts.